- Main
On Cyber Security for Networked Control Systems
- Amin, Saurabh
- Advisor(s): Bayen, Alexandre M;
- Sastry, Shankar
The instrumentation of infrastructure systems by embedded sensors, computation, and communication networks has enabled significant advances in their management. Examples include monitoring of structural health, traffic congestion, environmental hazards, and energy usage. The use of homogeneous (especially, commercially available off-the-shelf) information technology (IT) solutions makes infrastructure systems subject to correlated hardware malfunctions and software bugs. Over the past decade, many concerns have been raised about the vulnerabilities of infrastructure systems to both random failures and security attacks. Cyber-security of Supervisory Control and Data Acquisition (SCADA) systems is especially important, because these systems are employed for sensing and control of large physical infrastructures. So far, the existing research in robust and fault-tolerant control does not account for cyber attacks on networked control system (NCS) components. Also, the existing research in computer security neither considers the attacks targeting NCS components nor accounts for their interactions with the physical system. The goal of this thesis is to bridge this gap by focusing on (1) security threat assessment, (2) model-based attack diagnosis, and (3) resilient control design.
First, cyber-security assessment for SCADA systems is performed based on well-defined attacker and defender objectives. The mathematical model of SCADA systems considered in this work has two control levels: regulatory control using distributed proportional-integral (PI) controllers, and supervisory fault diagnosis based on approximate dynamical system models. The performance of a PI control based regulatory scheme and a model-based supervisory diagnostic scheme is studied under a class of deception attacks. In order to test the system resilience, a class of stealthy attacks which can evade detection by SCADA systems is presented.
Second, design of attack diagnosis schemes that incorporate the knowledge of physical dynamics of the system is presented. For SCADA systems used to manage water canal networks, an observer-based attack diagnostic scheme, in which each observer estimates the state of a reduced-order flow model, is presented. The observer parameters are computed using a convex optimization method, and the performance of this scheme is tested on a number of attack scenarios. An application of the theoretical results is illustrated by a field operational test performed on the SCADA system of the Gignac water canal system, located in Montpellier, France. A successful experimental cyber-attack on the sensors and actuators of this canal network revealed new vulnerabilities of the current SCADA system implementation.
Another illustration includes security analysis of two benchmark scenarios: the Tennessee Eastman process control system (TE-PCS) and a power system state estimator (PSSE). In both these cases, model-based statistical detection schemes are used to study stealthy deception attacks. For the case of TE-PCS, design of practically implementable attack-detection and response mechanisms to maintain operational safety is presented. For the case of PSSE, it is assumed that the attacker only has a partial knowledge of the actual system model. For a set of attacker objectives, the trade-off between the attacker knowledge and possible impact of a successful attack on the performance of false data detection schemes is studied.
Third, the stability of linear hyperbolic systems of PDEs when the boundary control actions and the system parameters switch discontinuously between a finite set of modes is studied. Switched PDE models can describe a class of fault and attack scenarios resulting from intermittent withdrawals through offtake nodes and compromise of sensor-control data. Motivated by such scenarios, a new condition for stability of linear hyperbolic systems of PDEs under arbitrary switching of boundary control actions and system parameters is derived. A class of switching attack strategies is presented, which violate the stability condition and result in unstable flow dynamics.
Fourth, the problem of controlling stochastic linear systems for networked control settings is considered when the sensor-control data is prone to packet loss and jamming. For a class of packet drop models, feedback control policies which minimize a given objective function subject to safety constraints are synthesized. For marginally stable systems, under mild hypotheses on the noise introduced by the control channel and large enough control authority, the synthesis of a control policy that render the state of the closed-loop system mean-square bounded is presented.
Finally, a class of games involving discrete interdependent risks is considered when each player is a NCS, and their security is interdependent due to the exposure to network induced risks. The problem of security decisions of individual players is formulated as a two-stage non-cooperative game defined as follows: in the first stage, the players decide whether to invest in security or not; and in the second stage, they apply control inputs to minimize the average operational costs. The characterization of the equilibria of the game is presented, which includes the determination of the individually optimal security levels. The presence of interdependent security causes a negative externality, and the individual players tend to under invest in security relative to the social optimum. From these results, for a wide parameter range, public policy incentivising higher security investments is desirable.
Main Content
Enter the password to open this PDF file: